Threat Advisory

Git affected by remote code execution attacks

January 25, 2023 | By Accorian

Recently, Git patched 2 critical vulnerabilities which could be used to launch remote code execution attacks. The issues have been assigned CVE-2022-23521 and CVE-2022-41903. The vulnerabilities affect Git versions up to and including Git 2.39.

CVE-2022-23521 affects the gitattributes mechanism. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, or when the declared attribute names are huge. CVE-2022-41903, also a critical vulnerability regarding integer overflow, can be triggered directly by a user running a command which invokes the commit formatting machinery or can be triggered indirectly through the git archive. These integer overflows may result in arbitrary heap writes, which can result in remote code execution.

It is recommended that users of Windows, macOS, and Linux/Unix download and install the most recent git release, which is v2.39.1. Disable the git archive in untrusted repositories if upgrading is unfeasible. Versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been issued, according to GitLab, to resolve the issues. Customers are urged to apply the fixes with immediate effect.

Accorian assures to assist all its clients. Please feel free to reach out to us if you have any questions.

Source:

Threat Advisory Team 

Accorian

Recent Post

    Ready to Start?

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to joinourteam@accorian.com

        Interested Position
        First Name
        Last Name
        Email
        Total Experience
        Mobile Number
        Upload Resume